CIBA: Authentication Error Responses can't all be returned from the Backchannel Authentication Endpoint
These are the errors defined for the Authentication Error Response:
- invalid_request
- invalid_scope
- expired_token
- unauthorized_client
- access_denied
- unknown_user_id
However the access_denied
error can't be returned from the Backchannel Authentication Endpoint as it will only occur after the OP has attempted to authenticate the user out of bounds on the authentication device.
The access_denied
error should therefore be returned from the token endpoint for polling and notification callback modes.
For the delivery callback mode (formerly the notification mode), the error should be sent to the client notification endpoint.
Comments (6)
-
-
reporter There was discussion that
access_denied
could still be a valid error in the authentication error response as a user may have blanked blocked access to a certain type of client or the AS might make the decision on the users behalf. The spec should expand on the definition ofaccess_denied
.However we agreed that it was also possible for an
access_denied
error to be returned from the token endpoint and that the spec should add this in. -
We should probably reconcile (at least for token endpoint error code registrations) the error codes defined in the (hopefully soon to be RFC) device flow https://tools.ietf.org/html/draft-ietf-oauth-device-flow-12#section-3.5 which does have an
access_denied
code from the token endpoint. -
reporter -
assigned issue to
-
assigned issue to
-
reporter To discuss:
- expired_login_hint_token
- HTTP error codes (I've removed the 404 response)
Do we need this error and what should it be called. It was generically called
expired_token
but I think we've agreed that anid_token_hint
could be an expiredid_token
so it doesn't make sense to apply the error toid_token_hint
s. -
- changed status to resolved
merged pull request
#26 - Log in to comment
yup